There's a dangerous assumption here.
Sorry to stir the pot a bit here, but the ability to BREAK things does not automatically imply an ability to make things better as well - the skillsets are not identical.
The failure is IMHO organisational rather than personal: there should have been someone in charge of ensuring safe practices and security. Sure, they could then use their in-house skills to shake the structure to see if it was solid, but hacking is a point skill, defence is a general, must-cover-all-the-bases process that is less exciting but FAR more exacting to perform.
Breaking in is a weakest-link idea - one vulnerability and you're in, so you collect data on zero day problems, and see if there's a way you can make code operate out of spec/bounds. Defence is a multi-layer proposition that is process, systems, patching and putting as many layers between you and the outside world as practicality and budget allows.
This is IMHO a leadership failure.
Biting the hand that feeds IT
